6

While similar to this question, I'm asking in regards to a traditional ISP environment where you are running your own server center and firewall access lists.

With a Bandwidth Exhaustion attack, the success of the attack is simply a measure of how much bandwidth they have purchased, in comparison to how much the target datacenter has available.

A well orchestrated attack will come from more than one ISP, or even many (DDoS), and the source IP address will be randomized. This makes it more difficult for the receiving ISP to block the traffic prior to reaching the customer's datacenter, and also eliminates simple retaliation as a possible (though undesirable) solution.

  • I'd like to know what the procedure is to minimize the success of such an attack, beyond the simple answer of purchasing more bandwidth? I assume identifying the source and blocking the packets can only be accomplished with the ISP, and there's nothing the datacenter owners can do on their end.

  • If the attack originates from other ISPs, is it necessary for the originating ISPs to cooperate to stop the attack?

  • When the DDoS attack is successfully blocked, is legal action often pursued? I assume the attacker could easily start a new account and run the attacks again otherwise.

  • This is a fiber-optic internet connection. At a certain level of bandwidth, do distant attacks become less successful? (assuming a limited number of attack sources)

Community
  • 1
700 Software
  • 13,807
  • 3
  • 52
  • 82
  • More bandwidth is the only solution, but don't do it yourself, get a [specialist](https://support.cloudflare.com/hc/en-us/articles/205177068-Step-1-How-does-CloudFlare-work-) – paj28 Aug 03 '16 at 14:38
  • 1
    If you host servers in data centre in London for example you have a dedicated lines like 1GBps or 10GBps or something without limits. Different story is for VPS servers where there are limits (caps) and Cloud Servers (where there are costs per gigabyte transferred). In case of Cloud Servers, incoming packets are not accounted for. so anything your server gets but do not respond costs zero. Some VPS providers also stopped charging for incoming traffic. This is very useful feature not only because of attacks but cheap monitoring applications (like video streaming). – Aria Aug 03 '16 at 14:39
  • 1
    The success of each of DDoS attack depends on how it is exactly executed. For example, most latest DDoS on BBC was sent from AWS, so AWS manged to find out how it was done and secure their systems. Or, if attack comes from single set of 10GBps links from single location, it usually takes few hours to track it down (even if it's spoofed). This way further attacks are also prevented. If the attack is from botnet, the botnet is disabled which might take a day or two. Launching large DDoS is very difficult (rare) and non-repeatable operation. – Aria Aug 03 '16 at 14:43
  • So it's not like ISP deals with it alone, but global internet operators usually deal with it along with other infosec teams. – Aria Aug 03 '16 at 14:44
  • Your question sounds like you think that DDoS would overload connection between server and ISP. However DDoS actually overloads server to make server not responding – vakus Aug 03 '16 at 15:11
  • 1
    @vakus, Bandwidth Exhaustion / Volume DDoS is a specific type of DDoS that is intended to overload the network connection, not the server. – 700 Software Aug 03 '16 at 15:49
  • @GeorgeBailey Oh right I did not knew, sorry about that – vakus Aug 03 '16 at 17:27
  • @Aria Botnets don't just "get disabled", do they? They consist of thousands of home computers taken over by malware. ISPs can do their best to detect botnet behaviour and block these computers, but there are a lot of networks out there which don't do this. – Jordan Melo Aug 03 '16 at 17:46
  • Malware has usually IPs and FQDNs hard-coded so then these IPs and FQDNs are simply blocked by standard opsec teams. Get real - massive DDoSes are very rare. – Aria Aug 03 '16 at 18:09

1 Answers1

4

The answer to your question varies wildly based on ISP. Some ISPs are very capable of handling DDoS attacks upstream, while others do absolutely nothing to stop them. Basically, there are three different ways that an ISP can handle them:

  1. Buy extra bandwidth and let any attacks through. The simplest and worst solution.
  2. Have simple monitoring systems to detect attacks, and blackhole any traffic headed to the destination IP. This protects the network as a whole but still causes the customer to suffer a DoS.
  3. Some form of "scrubbing". This is a process, usually third party, of detecting attacks and beginning packet inspection to try and filter out illegitimate traffic. A vast variety of methods are used, from filtering out traffic from foreign countries to detecting amplification attacks (such as DNS Amplification, as described within this US-CERT article). This is the preferred method that most large providers are switching to, since it allows the customer to stay online.

Of course, no matter what the ISP does they can still only filter traffic on their own network boundary. As is the case in the largest DDoS attacks, the bandwidth going to the ISP itself can be overwhelmed. There is little anyone can do in this situation.

Unfortunately, there is not much that the database users can do on their end. As you say, in a bandwidth exhaustion attack it doesn't matter if the database owner can filter traffic if they can't receive any traffic at all.

As much as we would like for ISPs to cooperate to stop these attacks, many come from foreign countries and from so called "bulletproof hosting" providers that ignore any complaints of misuse.

Legal action can almost never be pursued. Attackers are very good at hiding themselves behind botnets, and it can be very difficult to find even if someone bothers investigating. If they are found, they are often in foreign countries that do not have laws governing these attacks. The ones in more modern countries hide in legally gray areas, by doing things like offering "stresser" services to "test" your website against attacks without bothering to check if you really own the website.

Fiber optic connections do not decrease the attack in any significant way in the same way they do not decrease legitimate traffic.

TheGiantPossum
  • 139
  • 3
  • This is useful information. I would like to note that it is unlikely that persons from a foreign country would be interested in attacking our particular servers. Still, attackers in the same country could most likely route their traffic across the border if they were so inclined. – 700 Software Aug 05 '16 at 19:30
  • Indeed. Many owners of botnets find it easier to maintain in foreign countries, that do not investigate misuse complaints. Countries like China and the former Soviet bloc often contain botnets that run without ever being shut down. The only solution is finding and blocking these IPs. – TheGiantPossum Aug 08 '16 at 16:11